The Hacker News — Cyber Security, Hacking, Technology News

MacKeeper anti-virus company is making headlines today for its lax security that exposed the database of 13 Million Mac users' records including names, email addresses, usernames, password hashes, IP addresses, phone numbers, and system information.

MacKeeper is a suite of software that claims to make Apple Macs more secure and stable, but today the anti-virus itself need some extra protection after a data breach exposed the personal and sensitive information for Millions of its customers.

The data breach was discovered by Chris Vickery, a white hat hacker who was able to download 13 Million customer records by simply entering a selection of IP addresses, with no username or password required to access the data.

21 GB Trove of MacKeeper Customer Data Leaked

31-year-old Vickery said he uncovered the 21 GB trove of MacKeeper customer data in a moment of boredom while searching for openly accessible databases on Shodan – a specialized search engine that looks for virtually anything connected to the Internet – that require no authentication.

"The search engine at Shodan.io had indexed their IPs as running publicly accessible MongoDB instances (as some have already guessed)," Vickery said in a Reddit post. "I had never even heard of MacKeeper or Kromtech until last night. I just happened upon it after being bored and doing a random "port:27017" search on Shodan."

As a result, four IP addresses took him straight to a MongoDB database, containing a range of personal information, including:

Customer Names

Email addresses

Usernames

Password hashes

Mobile phone numbers

IP addresses

System information

Software licenses and activation codes

Security Product Using Weak Algorithm to Hash Passwords

Although the passwords were encrypted, Vickery believes that MacKeeper was using weak MD5 hashes to protect its customer passwords, allowing anyone to crack the passwords in seconds using MD5 cracking tools.

The company responded to the issue after Vickery posted it on Reddit, saying that the company had no evidence the data was accessed by malicious parties.

"Analysis of our data storage system shows only one individual gained access performed by the security researcher himself," Kromtech, the maker of MacKeeper, said in a statement. "We have been in communication with Chris, and he has not shared or used the data inappropriately."

Though the company claims Vickery was the only person to access the MacKeeper users’'information; you should still change your MacKeeper passwords and passwords on websites that use the same password.

A controversial piece of security and maintenance software for Mac OS X computers, known as MacKeeper, has been found to be vulnerable to a critical remote code execution vulnerability.

MacKeeper antivirus software for Mac OS X is designed to improve Mac performance and security, but it is infamous for its noisy "clean up your Mac" pop-under ads that stress the need for a system cleanup. If you try to close the ad, the software will prompt you to "Leave Page/Stay on This Page" dialogues.

The vulnerability details were disclosed on Friday after the patch release, which allows an attacker to execute remotely malicious commands with root privileges on Mac OS X systems when a victim visits specially crafted Web pages.

MacKeeper Versions Earlier to 3.4.1 are Affected

The remote code execution flaw, affecting the versions earlier to 3.4.1, caused due to the way MacKeeper malware removal software handles its custom URLs, security researchers at SecureMac explained in an advisory.

A remote attacker tricking the victim into visiting a maliciously crafted web page could exploit the flaw and execute arbitrary code with root privilege on the compromised system, with "little to no user interaction" required.

Proof-of-Concept Exploit Released

Security researcher Braden Thomas Posted reported the glitch last Thursday with a proof-of-concept (PoC) exploit that demonstrates the attack in action.

The proof-of-concept exploit published by Thomas on Twitter takes advantage of a lack of input validation by MacKeeper and automatically executes a command to uninstall MacKeeper from the system when the victim lands on a malicious web page.

"If the user hasn't previously authenticated, they will be prompted to enter their username and password" the advisory states, "however the text that appears for the authentication dialogue can be manipulated as part of the exploit … so the user might not realise the consequences of this action."

Vulnerability Patched, Update Released

At the moment SecureMac exposed the details of the glitch, the vulnerability was still zero-day, however since the developers of MacKeeper has released an update, MacKeeper Version 3.4.1, patching the custom URL scheme.

MacKeeper malware removal software has been downloaded more than 20 Million times, which is an enormous number. Therefore in order to be safe, run MacKeeper Update Tracker and install the latest version of MacKeeper, version 3.4.1 or later.

So far, it isn’t clear that how this critical vulnerability potentially impacts many users, however, MacKeeper confirmed its users that the company is not aware of any security breach exploiting this vulnerability.